EDPB Issues Key Opinion on AI Developers’ Use of Personal Data Under GDPR

Key Takeaways: EDPB Opinion on AI and GDPR

Anonymity Matters: Only truly anonymous data is exempt from GDPR. AI developers must ensure data cannot be re-identified.
Legitimate Interest: Using this legal basis requires balancing AI development needs with individual privacy rights.
Unlawfully Processed Data: AI models trained on unlawful data can still be used if the data is fully anonymized.
Enforcement Gaps: Regulators face challenges in applying GDPR to generative AI tools.
Privacy by Design: Developers should embed privacy measures throughout AI development to ensure compliance.

Navigating GDPR Compliance in AI Development

The European Data Protection Board (EDPB) has released an opinion addressing how artificial intelligence (AI) developers can use personal data to build and deploy AI models, such as large language models (LLMs), without violating the European Union’s privacy regulations. The EDPB’s guidance is highly influential, providing a framework for regulators to enforce the General Data Protection Regulation (GDPR).

The opinion focuses on critical areas, including whether AI models can be considered anonymous (and therefore exempt from GDPR), whether “legitimate interests” can justify processing personal data without individual consent, and whether AI models developed with unlawfully processed data can later be used lawfully.

Legal Basis Challenges for AI Compliance

One major challenge is determining the legal basis for processing personal data in AI development. The GDPR offers limited options, and the appropriate legal basis remains a topic of debate. High-profile cases like OpenAI’s ChatGPT highlight the potential consequences of non-compliance, including penalties of up to 4% of global turnover or orders to modify AI tools.

Model Anonymity: Case-by-Case Assessments

On the issue of model anonymity, the EDPB clarifies that anonymity must be assessed on a case-by-case basis. To qualify as anonymous, AI models must make it “very unlikely” for individuals to be identified, either directly or indirectly, from training data or model outputs. Developers can use techniques such as differential privacy, data minimization, and robust methodological choices to mitigate risks.

Legitimate Interests as a Legal Basis

The EDPB also explores whether “legitimate interests” can be a viable legal basis for processing data in AI development. This approach, unlike consent, might offer scalability for developers managing vast datasets. However, regulators will need to apply a three-step test:

Purpose and Necessity: Is the data processing lawful, specific, and essential for achieving its goal?
Proportionality: Is the amount of data used reasonable, and are there less intrusive alternatives?
Balancing Test: Does the processing respect individual rights, and were the data subjects likely to expect such use of their information?

Mitigation measures, such as pseudonymization and transparency initiatives, may be required to minimize risks and balance the interests of individuals and developers.

Addressing Unlawful Data Use

For AI models trained on unlawfully processed data, the EDPB suggests that developers may avoid regulatory penalties by ensuring that personal data is anonymized before deployment. If developers can demonstrate that the operational model no longer processes personal data, subsequent use may comply with GDPR.

This interpretation has sparked debate. Critics warn it could unintentionally enable unethical data collection practices, undermining GDPR’s foundational principle that personal data must be lawfully processed throughout its lifecycle.

Implications for Developers and Regulators

The EDPB’s opinion provides regulators with tools to enforce GDPR compliance and offers AI developers insight into navigating legal uncertainties. However, it emphasizes that no single solution applies universally. Regulatory assessments will depend on the specifics of each case, including the AI model’s design, purpose, and data usage.

Ireland’s Data Protection Commission, which requested the EDPB’s guidance, expressed optimism about the opinion’s role in ensuring proactive and consistent regulation. It also highlighted the importance of engaging with AI companies to address compliance before their technologies enter the EU market.

A Dynamic Landscape for AI Regulation

The EDPB’s opinion reflects the evolving complexity of applying GDPR to AI technologies. As AI developers continue to innovate, they must remain vigilant in aligning their practices with privacy laws. Meanwhile, EU regulators face the challenge of balancing technological progress with the protection of individual rights.